net-update verifcation checking is still insecure (aka gpg key shadowing, again)

Bug #1013639 reported by Jamie Strandboge
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Fix Released
Critical
Jamie Strandboge
Hardy
Fix Released
Critical
Jamie Strandboge
Lucid
Fix Released
Critical
Jamie Strandboge
Natty
Fix Released
Critical
Jamie Strandboge
Oneiric
Fix Released
Critical
Jamie Strandboge
Precise
Fix Released
Critical
Jamie Strandboge
Quantal
Fix Released
Critical
Jamie Strandboge

Bug Description

This is related to but different than:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128

FYI:
http://seclists.org/fulldisclosure/2012/Jun/271
http://seclists.org/fulldisclosure/2012/Jun/289

The fix for both of the previous bugs was not enough. There is reportedly an active exploit utilizing the Ubuntu CD Image Automatic Signing Key.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This has been assigned CVE-2012-0954.

visibility: private → public
Changed in apt (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Oneiric):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Quantal):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apt (Ubuntu Hardy):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Jamie Strandboge (jdstrand)
summary: - gpg key shadowing, again
+ net-update verifcation checking is still insecure (aka gpg key
+ shadowing, again)
Revision history for this message
Michael Vogt (mvo) wrote :

Here is a alternative approach for the net-update:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/857472/comments/2

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ok, I am disabling net-update like in http://www.ubuntu.com/usn/usn-1215-1/ until we can get this fixed for real. As discussed in IRC, we'll need to change how we verify via net-update and this is not something we want to rush.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I filed bug #1013681 to track the progress of the real fix.

Changed in apt (Ubuntu Lucid):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Quantal):
status: In Progress → Fix Committed
Changed in apt (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.9ubuntu17.6

---------------
apt (0.7.9ubuntu17.6) hardy-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 07:48:24 -0500

Changed in apt (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.9.6ubuntu3

---------------
apt (0.9.6ubuntu3) quantal; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 08:03:17 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.2

---------------
apt (0.8.16~exp12ubuntu10.2) precise-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 08:02:02 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.5

---------------
apt (0.8.16~exp5ubuntu13.5) oneiric-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 08:00:43 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.8.13.2ubuntu4.6

---------------
apt (0.8.13.2ubuntu4.6) natty-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 07:59:17 -0500

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apt - 0.7.25.3ubuntu9.13

---------------
apt (0.7.25.3ubuntu9.13) lucid-security; urgency=low

  * SECURITY UPDATE: Disable apt-key net-update for now, as validation
    code is still insecure
    - cmdline/apt-key: exit 1 immediately in net_update()
    - CVE-2012-0954
    - LP: #1013639
 -- Jamie Strandboge <email address hidden> Fri, 15 Jun 2012 07:58:02 -0500

Changed in apt (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Natty):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in apt (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.